The coin flipping selector for selective encryption

The coin ipping selector for selective encryption

Richard Ostertág^? Department of Computer Science, Faculty of Mathematics, Physics and Informatics,

Comenius University,

Mlynská dolina, 842 48 Bratislava, Slovak Republic ostertag@dcs.fmph.uniba.sk

http://www.dcs.fmph.uniba.sk Abstract. Some applications require high-speed encryp-

tion even at the expense of reduced security. With a xed secure, but slow cryptographic algorithm, there still is an appealing possibility for encryption speedup by encrypting only some portion of data. In this paper we analyze the ciphertext security obtained this way. We show that it is not possible to exclude from encryption even a small con- stant fraction of data without signicantly compromising security.

1 Motivation, assumptions, goals

Volume of data is nowadays bigger than ever. Multi- media are a typical example. Fast real-time on-demand encryption of multiple multimedia streams requires specialized powerful hardware.

It is sometimes not possible (or economical) to use powerful enough hardware solution. Then we can replace the encryption algorithm with a faster al- though maybe less secure one. Another possibility is to use selective encryption with the original secure al- gorithm. In this case we encrypt only some fraction of plaintext. Let p denote the fraction of encrypted plaintext. The parameterpranges between 0 (no en- cryption) and1(full encryption) and is used to control the balance between the encryption speedup and the security.

For example, selective encryption is used for on- line encryption of MPEG video [1]. In this case, the knowledge of the internal data structure is exploited in order to encrypt only DC coecients and sign bits of motion vectors. Similar techniques are also used for pictures [2]. For overview of selective encryption meth- ods see [3]. Security of these algorithms is not formally proved.

We formally analyze security of selective encryp- tion in this paper. As we are interested in a general case, we make no assumptions on the internal data structure or on statistical properties of the plaintext.

We originally hoped that it could be possible to se- lectively encrypt portion of plaintext while maintain- ing reasonable security. However, we show that this

?Supported by VEGA grant No. 1/3106/06.

does not work. Since we prove a negative result, it is only better if assumptions are more disadvantageous for the attacker than in practical usage:

1. One-time pad is used as the encrypting algorithm.

One-time pad is the rst and only encryption algo- rithm for which there is a proof of perfect secrecy if the key is truly random, never reused, and kept se- cret. We choose this cipher to abstract from even- tual weaknesses of the actual cipher which can be exploited by attacker. Theoretical results obtained this way can be used in practice as upper bounds for security of any other selected encryption algo- rithm.

2. Attacker can manage no more than ciphertext-only attack.

The attacker is assumed to have access only to a ciphertext and full description of selective en- cryption algorithm. This means that the attacker knows the enciphering algorithm and also the method of bit selection for enciphering.

3. Attack is peformed using brute force.

Key space is searched from the most probable key to the least probable key omitting impossible keys to minimize the attacker's work. We assume that the selection algorithm chooses bits for encrypting independently from plaintext content (besides its length). In general it cannot be expected that a better attack is possible. However in actual situa- tion specic properties¹ of plaintext can lead to a more ecient attack.

4. Attack complexity measure is dened as a fraction of key space that attacker has to search in average to nd the key.

Attacker tries every possible key until he nds one that deciphers to the desired plaintext. We ignore the complexity of verifying whether deci- phered plaintext is the original one. For selective encryption with p = 1 (one-time pad), the ex- pected attack complexity is1/2. For selective en- cryption with p= 0 expected complexity is0. We

1 E.g. high redundancy of plaintext poses an even greater risk for selective encryption then for full text encryption.

consider every cipher for which attack complex- ity approaches 0 as plaintext length goes to +∞

insecure.

We assume that encrypting ppercent of plaintext bits with selective encryption reduces sender's work toppercent omitting overhead necessary for selecting those bits. In this situation we will be satised with (and accept this as reasonable degradation of secu- rity) reduction of attack complexity from 1/2 top/2, because this means that attacker's work is in average also reduced toppercent but no more.

2 Selectors

In this paper we will assume that plaintext is a bit se- quence sequence of zeros and ones. Letn >0denote plaintext sequence length. If we want to selectively en- crypt p∈(0,1) percent of plaintext, then we have to choose k =np bits of plaintext for encryption. In [4]

we analyzed dierent ways of bit selection for selec- tive encryption. We introduced the notion of selector algorithm which performs selection of thek bits for encryption based on n and p. The output of selector on input n and p is a bit sequence of lengthn with k =np ones indicating positions of bits chosen for encryption. Selective encryption algorithm proceeds in the following way:

1. The selector selectsk=np bits for encryption.

2. Encrypt only selected bits with one-time pad². As it can be seen our model was limited to selections which have exactly k = np bits selected. In [4] we proved that among the analyzed selectors only fully random selection of exactlyppercents of bits provides reasonable security forp≥1/2. In this place it is nec- essary to mention that in [4] we measured the attack complexity by the number of possible plaintexts³.

Because we are interested in the values of p <1/2 we relax the assumption that exactlyk=npbits have to be selected, and we only require that in average k bits have to be selected. This relaxation allows for using a selector which for every bit ips a biased coin one falls with probability p, zero with probability 1−p. Lets call this selector coin ipping selector. We hope that this step allow us to go with p below 1/2 because it introduce more uncertainty to attacker as all plaintext are now possible. For that reason we have to also change our attack complexity measure and we choose one mentioned in previous section.

2 Xor them with truly random noise.

3 For example, let p = 1/2. For a random bit selector there are 2ⁿ⁻¹ possible plaintexts for every ciphertext.

If the selector do not use randomness and deterministi- cally selects every even bit, there are only2^n/2possible plaintexts.

3 The coin ipping selector analysis

In the rest of the paper we will show the behavior of the attack complexity for the coin ipping selector for large messages (we will assume thatngoes to innity).

3.1 Average fraction of key space equation Firstly we need to determine the probability of the key of lengthnwith exactlyk ones on xedly chosen positions if in the selective encryption the coin ip- ping selector is used. Let denote this probability as PK(n, k, p), wherepis probability of encrypting.

Theorem 1.

PK(n, k, p) =p 2

^k 1−p

2 n−k

Proof.

PK(n, k, p) =

n−k

X

i=0

n−k i

p^k+i(1−p)^(n−k)−i 1 2^k+i, because we can get the key with exactly k ones on xedly chosen positions from any selection with ex- actly k+i ones with k ones on those xedly chosen positions andiones arbitrarily chosen from remaining n−k positions. Also one-time pad has to select for those k positions bit 1 and for remainingi positions bit 0 (thus we get 2^−(k+i)). We can simplify the last equation as follows:

p 2

^kn−kX

i=0

n−k i

p 2

ⁱ

(1−p)^(n−k)−i=

=p 2

^kp

2 + (1−p)n−k

=p 2

^k 1−p

2 n−k

. u t Derivative of the functionPK(n, k, p)with respect tokis:

PK(n, k, p) ln p

2−p

.

Since for all studied n > 0 and 0 < p < 1 expres- sionln(_2−p^p )is negative andPK(n, k, p)is positive we know, that PK(n, k, p)is strictly decreasing function with respect tok∈ h0, ni. Thus eective attacker will start searching key space from the most probable 0ⁿ key to the least probable1ⁿkey in direction of increas- ing number of ones in the key. Sort all2ⁿ keys in this order⁴ in an array with indexes from 1 to 2ⁿ. Then denote L(n, k) index of rst key of length n with k

4 Ordering of keys with equal number of ones is irrelevant since all have the same probability. It can be arbitrary but xed.

ones and U(n, k)will denote index of the last key of lengthnwithkones. It can easily be seen that:

L(n, k) = 1 +

k−1

X

i=0

n i

, U(n, k) =

k

X

i=0

n i

. Theorem 2. Let I(n, p) be a position in the above mentioned array where attacker nds the key in av- erage case. Then I(n, p) equals to:

1 2+1

2

2−p p

n n

X

k=0

" p 2−p

kn k

^k X

i=0

n+ 1 i

# .

Proof. LetPr(n, p, i)be probability that attacker nds key in positioni. Then:

I(n, p) =

2ⁿ

X

i=1

iPr(n, p, i).

Since Pr(n, p, i) is constant for all i between L(n, k) andU(n, k)we can write:

I(n, p) =

n

X

k=0





U(n,k)

X

i=L(n,k)

iPK(n, k, p)





SincePK(n, k, p)does not depend oniwe can move it in front of inner sum. The inner sum then reduces to:

U(n,k)

X

i=L(n,k)

i= [U(n, k)−L(n, k) + 1]L(n, k) +U(n, k) 2

Thus equation forI(n, p)changes to:

n

X

k=0

PK(n, k, p)1 2

n k

"

1− n

k

+ 2

k

X

i=0

n i

#

| {z }

Mark this term asx(n, k).

.

It is obvious thatx(n,0) = 2andx(n, k+1)−x(n, k) =

n+1 k+1

. Sox(n, k) = 1 +Pk i=0

n+1 i

. After substituting x(n, k)andPK(n, k, p)we can writeI(n, p)as:

1 2

n

X

k=0

p 2

k 1−p

2

n−kn k

"

1 +

k

X

i=0

n+ 1 i

# .

Then after factoring out 1−^p₂ⁿ we get:

1 2

1−p

2 n n

X

k=0

p 2−p

^kn k

"

1 +

k

X

i=0

n+ 1 i

# .

By expanding summand and using binomial theorem for

p

2−p+ 1n

we get:

1 2

1−p

2

ⁿ 2 2−p

n

+

+1 2

1−p

2 n n

X

k=0

p 2−p

^kn k

^k X

i=0

n+ 1 i

=

=1 2 +1

2

2−p 2

^{n n} X

k=0

p 2−p

^kn k

^k X

i=0

n+ 1 i

. u t Let us denote average fraction of key space which attacker has to search before he nds the key asF(n, p). Now, when we haveI(n, p), equation forF is obvious:

F(n, p) =

1

2+¹₂ ^2−p₂ ⁿ Pⁿ

k=0

_p

2−p

^k _n

k

P^k

i=0 n+1

i

2ⁿ+ 1 .

Although we have assumed that p < 1 we can ver- ify, that F(n,1) = 1/2 as expected. We can not use F(n,0) because Pr(n,0, k) is not a valid probability distribution over keys of lengthn.

3.2 Asymptotics

Based on Figure 1 we will now try to show that for all p <1 holds lim_n→∞F(n, p) = 0. This will be unwel- come result. It means that even if we encrypt nearly the entire plaintext up to some small fraction, this small fraction is still sucient to reduce attack com- plexity to a negligible fraction compared to full text encryption.

0.00 0.05 0.10 0.15 0.20 0.25 0.30 0.35 0.40 0.45 0.50

0 10 20 30 40 50 60 70 80 90 100 n(length of ciphertext)

F(n,0.25) F(n,0.50)

F(n,0.75) F(n,0.90)

Fig. 1. This graph indicates that lim

n→∞F(n, p) = 0.

Since we want to prove that the limit goes to zero, it is possible to simplify the proof by realizing that

F(n, p)≥0 and show that some simpler upper bound f₀(n, p)+f₁(n, p)+f₂(n, p)≥F(n, p)goes to zero too.

We choosef_i(n, p)as follows

f₀(n, p) = 1 2ⁿ⁺¹, f1(n, p) = 1

2ⁿ⁺¹

2−p 2

^{n α} X

k=0

p 2−p

^kn k

Sⁿ⁺¹_k ,

f2(n, p) = 1 2ⁿ⁺¹

2−p 2

n n

X

k=α

p 2−p

kn k

S_kⁿ⁺¹,

whereS_kⁿ⁺¹denotesPk i=0

n+1 i

andαis ⁿ₂−¹₂n⁵⁸. To prove the main limit it is sucient to show that for all i∈ {0,1,2} lim_n→∞f_i(n, p)equals to zero. For i= 0 it is trivial so we move toi= 1. In the proof we will use following lemma.

Lemma 1 (for proof see [5]). Letϕ(n)be any func- tion satisfyinglim_n→∞ϕ(n) =∞. Then

n→∞lim

Pn/2−ϕ(n)√ n k=0

n k

2ⁿ = 0.

Theorem 3. Let p <1. Thenlimn→∞f1(n, p) = 0. Proof. Firstly we replace f1(n, p) with even simpler upper bound:

f1(n, p)≤ 1 2ⁿ⁺¹

2−p 2

n

S_αⁿ⁺¹

α

X

k=0

p 2−p

k n k

≤

≤ 1 2ⁿ⁺¹

2−p 2

n

S_αⁿ⁺¹

n

X

k=0

p 2−p

k n k

=

= 1 2ⁿ⁺¹

2−p 2

ⁿ S_αⁿ⁺¹

2 2−p

ⁿ

= S_αⁿ⁺¹ 2ⁿ⁺¹ Now we can setϕ(n) = ⁽ⁿ⁻¹⁾

5 8+1 2√

n and use lemma 1:

n→∞lim S_αⁿ⁺¹ 2ⁿ⁺¹ = lim

n→∞

Pⁿ₂−¹₂n⁵8

i=0

n+1 i

2ⁿ⁺¹ = 0.

Becasef₁(n, p)≥0the theorem is proved. ut In the proof for i = 2we will utilize another two lemmas.

Lemma 2 (for proof see [6] equation 9.98). Let

|k| ≤ ¹₂n⁵⁸. Then binomial coecient around center forn→ ∞can be aproximated as follows:

n

n 2 −k

= 2ⁿ pπ

2ne^−2k

2 n

1 +O n⁻¹⁸

Lemma 3. Leta_k=

p 2−p

k n k

fork∈ {0,1, . . . , n}. Then the following inequality holds:

∀p∈(0,1)∃m ∀n > m ∀k≥ n 2 −1

2n⁵⁸ :ak> ak+1. Proof. We rewrite theorem inequality as a fraction. So we get∀p∈(0,1)∃m∀n > m∀k≥ ⁿ₂−¹₂n⁵⁸ :

ak+1

a_k <1⇔ p 2−p

n−k

k+ 1 <1⇔ n−k

k+ 1 < 2−p p . Because ^n−k_k+1 < ^n−k_k it is sucient to nd an arbitrary mthat∀n > m∀k≥ ⁿ₂ −¹₂n⁵⁸ :

n−k

k < 2−p

p ⇔n < k+k2−p

p ⇔n < k2 p By solving this inequality we get that it holds for every k > ^p₂n. Because we start withk= ⁿ₂ −¹₂n⁵⁸, we will now solve for whichnholds:

n 2 −1

2n⁵⁸ > p

2n⇔1− 1

n³⁸ > p⇔n >

1 1−p

⁸₃ .

Now we have showed that for all p∈(0,1), if we set mto

1 1−p

⁸₃ , then

∀n > m∀k≥ n 2 −1

2n⁵⁸ :ak> ak+1.

u t Now we are able to proof the last theorem on the limit of functionf2.

Theorem 4. Letp <1. Thenlimn→∞f2(n, p) = 0. Proof. Again we replacef2(n, p)with even simpler up- per bound:

1 2ⁿ⁺¹

2−p 2

^{n n} X

k=α

p 2−p

^kn k

S_kⁿ⁺¹

| {z }

≤2ⁿ⁺¹

≤

≤ 2−p

2

n n

X

k=α

p 2−p

k n k

| {z }

ak

Now we use lemma 3 and the fact that we are inter- ested in limit forn→ ∞. Thus for large enoughnwe can upper bound the last equation by

2−p 2

n

(n−α+ 1)aα=

= 2−p

2 n

(n−α+ 1) p

2−p αn

α

≤

0 5 10 15 20 25 30 35 40 45

0 1 2 3 4 5 6 7 8 9

ak

p= 0.8 n= 10

k k= 3

0 25 50 75 100 125 150 175 200 225 250

0 10 20 30 40 50 60 70

ak/1013

p= 0.8 n= 74

k k= 30

0 5 10 15 20 25 30 35 40 45 50

0 20 40 60 80 100 120 140

ak/1030

p= 0.8 n= 148

k k= 63

Fig. 2. These graphs illustrate how value ofakstarts to de- crease fromk=ⁿ₂−¹₂n⁵⁸ if large enoughnis used (n > m).

Forp= 0.8based on lemma 3 we get thatmapproximately equals to73.1.

≤ 2−p

2 ⁿ

n p

2−p ^αn

α

=

= 2−p

2

ⁿ p 2−p

ⁿ₂ 2−p p

¹₂ⁿ

5 8

n n

α

=

=[(2−p)p]ⁿ² 2ⁿ

2−p p

¹₂ⁿ

5 8

n n

n 2 −¹₂n⁵⁸

. In the sequel we get rid of binomial coecient by ap- plying lemma 2. We omit the1 +O(n⁻¹⁸)factor from following equations to save space.

[(2−p)p]ⁿ² 2ⁿ

2−p p

¹₂ⁿ

5 8

n 2ⁿ pπ

2ne⁻²

1 2n5

8²

n =

= r2

π[(2−p)p]ⁿ²

2−p p

¹₂n⁵8

√n e^{−12 4}

√n

We want to prove now that the last equation goes to zero as n approaches ∞. We will do so by showing that logarithm of the equation goes to−∞. We also omit constant factor p

2/π as it is irrelevant in this context.

n

2 ln(2−p)p+1 2n⁵⁸ ln

2−p p

+1

2lnn−1 2

√4

n+O n⁻¹⁸

Since ⁿ₂ln(2−p)pis most inuencing summand asn goes to innity andln(2−p)p <0we have proved that the equation goes to −∞. If we again omit the 1 + O(n⁻¹⁸) factor from the right-hand side of inequality we get for large enoughnthat

0≤f2(n, p)≤ r2

π[(2−p)p]ⁿ²

2−p p

¹₂ⁿ

5 8√

n e⁻¹²⁴

√n.

As we have proved that the right-hand side goes to zero asngoes to innity, we are done. ut

4 Conclusion

In this paper we have showed that even the coin ip- ping selector tremendously decreases the security of selective encryption for any p <1. In other words it means that even if we encrypt nearly the entire plain- text up to some small fraction, this small fraction is still enough to reduce attack complexity to negligible fraction compared to full text encryption. The same result holds for random bit selector from [4] if the at- tacker and the attack complexity from this paper is assumed. As a conclusion we can say, that every stud- ied selector signicantly degrades security even if the encrypted fraction is closed to1for large enough mes- sages.

References

1. Shi, C., Bhargava, B.: A fast mpeg video encryption algorithm. In: Proceedings of the sixth ACM interna- tional conference on Multimedia, ACM Press (1998) 81 2. Droogenbroeck, M.V., Benedett, R.: Techniques for a88 selective encryption of uncompressed and compressed images. In: Proceedings of ACIVS 2002 (Advanced Con- cepts for Intelligent Vision Systems), Ghent, Belgium (2002) 90 97

3. Liu, X., Eskicioglu, A.M.: Selective encryption of multi- media content in distribution networks: Challenges and new directions. ASTED International Conference on Communications, Internet and Information Technology (CIIT 2003) (2003)

4. Ostertág, R., Ko²inár, P.: Analýza selektorov pre selektívne ²ifrovanie. In: ITAT 2006: Information Technologies-Applications and Theory, Se¬a: PONT (2006) 131137

5. Olejár, D., Stanek, M.: On cryptographic properties of random Boolean functions. J.UCS: Journal of Universal Computer Science 4 (1998) 705718

6. Graham, R.L., Knuth, D.E., Patashnik, O.: Con- crete Mathematics: A Foundation for Computer Sci- ence. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA (1994)